Analysis

Commercial code is more compliant to security standards

29th July 2015
Nat Bowers
0

Announcing the release of its annual Coverity Scan Open Source Report, Synopsys has revealed that commercial code is more compliant to security standards than open source code.

The 2014 report details the analysis of nearly 10bn lines of source code through the Coverity Scan service and commercial usage of the Synopsys Coverity Software Testing Platform, the largest sample size that the report has studied to date. For the report, the company analysed code from more than 2,500 open source C/C++ projects as well as an anonymous sample of commercial projects in 2014. Additionally, the report highlights results from several popular, open source Java and C# projects that have joined the Coverity Scan service since March 2013.

The Coverity Scan Open Source Report has become a widely accepted standard for measuring the state of open source code quality. Since its inception nine years ago, the Coverity Scan service has analysed billions of lines of code, and as of today, has reviewed more than 5,100 open source projects – including C/C++ projects, such as Linux, FreeBSD, LibreOffice, Python, PostgreSQL, Firefox and NetBSD, and Java projects, such as Apache Hadoop, HBase, Tomcat, Cloudstack and Cassandra. The Coverity Scan service has helped developers find and fix more than 240,000 defects since 2006. As detailed in the new Coverity Scan Open Source Report, nearly 152,000 defects were fixed in 2014 alone – more than the total amount of defects that had been found in the previous history of the service.

Based on static analysis defect density, open source code outpaced commercial code for quality in the 2013 report. This trend continues in 2014; however, this year the report also compared security compliance standards such as OWASP (Open Web Application Security Project) Top 10 and CWE (Common Weakness Enumeration) 25, and found that commercial code is more compliant with these standards than open source code.

Key findings from the latest report include:

  • Defect density (defects per 1,000 lines of code) of open source code and commercial code has continued to improve since 2013: When comparing overall defect density numbers between 2013 and 2014, the defect density of both open source code and commercial code has continued to improve. Open source code defect density improved from 0.66 in 2013 to 0.61 in 2014, while commercial code defect density improved from 0.77 to 0.76.
  • Coverity Scan aids OpenSSL in post-Heartbleed investigation: According to OpenSSL co-founder Tim Hudson, the Coverity Scan service helped to catch newly discovered defects and highlight where other issues like the Heartbleed bug might exist. Since Heartbleed, OpenSSL has fixed 302 defects found by Coverity Scan, and now has a 0.21 defect density.
  • Linux remains a benchmark for static analysis defect density: Since joining the Coverity Scan service in 2006, Linux has retained its commitment to quality, which remains a key focus. During 2014, Linux leveraged the Coverity Scan service to find and fix more than 500 high-impact defects, including resource leaks, memory corruptions and uninitialised variables.

Zack Samocha, Director of Marketing, Software Integrity Group, Synopsys, commented: "As a whole, software quality and security are improving, but neither open source nor commercial standards are complete or conclusive enough to catch everything. As software projects are being pushed to market faster than ever before, developers need to balance security with speed. As more of these projects use solutions like Coverity Scan, we expect to see continued improvement in open source and commercial code security throughout 2015."

A full copy of the 2014 Coverity Scan Report can be donwloaded here.

Featured products

Upcoming Events

View all events
Newsletter
Latest global electronics news
© Copyright 2024 Electronic Specifier